top of page

Manage on-premise servers using AWS services

""

Cloud computing is great for deploying your systems and taking advantage of all its benefits—scalability, cost savings, and flexibility. But sometimes, on-premise servers need to meet specific requirements like security compliance, very low throughput, and real-time response requirements. This post compiles useful AWS services and tools for easily managing on-premise servers while meeting all of these requirements and keeping your local infrastructure.


AWS Systems Manager

AWS Systems Manager is a suite of tools for centrally managing, visualizing, and operating nodes. However, it is not limited to AWS environments. Installing the SSM agent on the on-premise servers allows you to use all the SSM tools to manage them.


Install the SSM agent in your on-premise server

I’m using Ubuntu 22.04 for this demo; however, the AWS documentation lists all supported OSes.


Follow these steps to install the agent:


  1. Access your AWS account and look for AWS Systems Manager service in the search bar.

  2. In the AWS Systems Manager dashboard, go to Hybrid Activation and create a new activation.

  3. All the fields are optional, or you can keep the default value. Then click on the Create Activation button.

""

  1. Save the Activation Code and Activation ID values because they will be required later and you cannot see them again.

  2. Run the following commands:


mkdir /tmp/ssm
# replace <region> with the region you are using in the AWS account chosen.
curl 
https://amazon-ssm-region.s3.region.amazonaws.com/latest/debian_amd64/ssm-setup-cli -o /tmp/ssm/ssm-setup-cli

sudo chmod +x /tmp/ssm/ssm-setup-cli

sudo /tmp/ssm/ssm-setup-cli -register -activation-code "activation-code" -activation-id "activation-id" -region "region"

  1. Check that your server is online under the Fleet Manager page:

""

Now that we have the SSM agent installed, we can use all Systems Manager tools to manage this on-premise server. See the following examples:


Start a terminal session

  1. Go to the Fleet Manager page.

  2. Choose the instance to manage (notice that non-EC2 nodes ID starts with mi- and EC2 instances with i-)

  3. Click on node actions > Connect > Start terminal session.


""

Easily encrypt session connections and log actions

Systems Manager allows to improve security and meet security requirements easily, for example, when encrypting connections using KMS keys and logging all the activity (all commands executed in an SSM session) to S3 and/or Cloudwatch.


Configure these options and more by doing the following:


  1. Go to the Session Manager page.

  2. Go to the Preferences tab and click on the Edit button.

  3. From here, you can configure the following settings:

    1. Idle session timeout.

    2. Max session duration.

    3. KMS encryption (be aware of allowing access to the chosen KMS key to all principals involved, SSM principal, EC2 principal, and IAM Users)

    4. Enable logging (Cloudwatch or S3, according to what you need).


Patch your instances

You can handle patching in a centralized way by following these steps:


  1. Go to the Fleet Manager page.

  2. Choose the instance to manage.

  3. Click on node actions > Tools > Patch nodes.

  4. Configure the patch strategy according to your preferences.


This is useful to patch all or many on-premise servers simultaneously.

Run commands in all your fleet at once

The Run command tool makes it possible to run bash command (and others) in all or many instances at the same time, even EC2 and on-premise instances all at once.


Use case example:

Often, I have to allow SSH keys in all our on-premises servers, so instead of doing it one-by-one, I use this tool to speed up the procedure, executing the following scripts in all servers at the same time.

echo "<SSH Public key>" > ~/.ssh/authorized_keys

This line copies the SSH public key into the file ~/.ssh/authorized_keys. By default, SSH services use this file to store all allowed keys that can establish an SSH session for the specific user.


You can do something similar by  following these steps:


  1. Go to the Run command page and click on the Run command button.

  2. Choose the command document from the list (AWS-RunShellScript in my case).

  3. Add your commands in the field under Command parameters and complete other options according to your preferences.

  4. Specify the Target selection (in which nodes run the commands).

  5. Click on Run


A summary will be shown about how the script ends in each node.

Run SSH over SSM sessions

This is very useful for remote access and managing servers over SSH sessions but more securely, since we don’t need to expose ports to the Internet, and at the same time we can take advantage of all SSH features.


To do this we will use the following SSM Document: AWS-StartSSHSession

{  
"schemaVersion": "1.0",
"description": "Document to open SSH connection over session manager to an instance",
"sessionType": "Port",
"parameters": {
	"portNumber": {
		"type": "String",
		"description": "(Optional) Port number of SSH server on the instance",
"allowedPattern": 
"^([1-9]|[1-9][0-9]{1,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$",
		"default": "22"
    }
  },
  "properties": {
    "portNumber": "{{ portNumber }}"
  }
}

You can find this document in the Document section of Systems Manager.


Usage

Usually, we start SSM sessions using the AWS CLI with the following command:

aws ssm start-session --target "mi-03074e52a2f5ef7ea" --region us-east-1

Then you can include the above document like this:

aws ssm start-session --region us-east-1 --target mi-03074e52a2f5ef7ea --document-name AWS-StartSSHSession --parameters 'portNumber=22'

To make it even easier you can include this command in the file ~/.ssh/config as follows:

Host <hostname>
	HostName %h
	User <username>
	ProxyCommand bash -c "aws ssm start-session --region us-east-1 --target mi-03074e52a2f5ef7ea --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

* Replace <hostname> and <username> for the correct values here.


Finally, use ssh <hostname> to start the SSH connection over the SSM session.


Caveat: The following tools are required to do this:


Monitor on-premise servers with CloudWatch


On-premise servers can be monitored by using Amazon CloudWatch by installing the CloudWatch agent in the servers we want to monitor. By doing this, it is possible to monitor server metrics, collect logs, and create alarms based on metrics, all from the Cloudwatch Dashboard.


Install the CloudWatch agent

  1. Create IAM users to use with the CloudWatch agent on on-premises servers.

    1. Create a new IAM User.

    2. Add the following IAM Policy to the user: CloudWatchAgentServerPolicy. Optional IAM Policies: CloudWatchAgentAdminPolicy and AmazonSSMManagedInstanceCore.

    3. Create an access key for the user (and save the Access Key ID and Secret Access Key).

  2. Configure the AWS profile with the credentials created using this command:

sudo aws configure --profile AmazonCloudWatchAgent

  1. Install the CloudWatch agent with the following commands:

# Replace the region with the correct one for you.
wget https://amazoncloudwatch-agent-us-east-1.s3.us-east-1.amazonaws.com/ubuntu/amd64/latest/amazon-cloudwatch-agent.deb

sudo dpkg -i -E ./amazon-cloudwatch-agent.deb

# use the wizard to create the agent configuration easily
sudo /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard

Get the correct URL according to your OS from the AWS documentation, here.


By doing this, you will have the CloudWatch agent running on the on-premise server. This allows you to monitor it from CloudWatch and use all its features, such as monitoring metrics, creating alarms, collecting logs, and so on.


You can customize the agent configuration even more by editing the file /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.d/file_config.json


This file allows you to customize which metrics to send to CloudWatch and the collection interval. This is useful for optimizing costs according to your needs.


Conclusion

This post aims to provide you with useful tools to manage your on-premise fleet by using AWS tools as if they were EC2 instances. Using tools like AWS Systems Manager and CloudWatch, you can centralize operations, enhance security, and automate various tasks, all while retaining a portion of your infrastructure on-premise. 


We use all the tools described here daily, but there are many more that you can discover and use. To learn more about AWS services for managing on-premise infrastructure, visit our blog for first-hand insights from our team. If you need an AWS-certified team to deploy, scale, or provision your IT resources to the cloud seamlessly, send us a message here.









Cloud Engineer

Ignacio Rubio

bottom of page